LockBit Leads as Rampant Ransomware Activity Continues
Ransomware actors continue to focus their attacks on the manufacturing sector, and LockBit remains the most prolific threat group, according to the results of the GuidePoint Research and Intelligence Team’s (GRIT) Q1 2023 ransomware report.
The study indicates ransomware activity rose by 25% compared to the fourth quarter of last year, with the United States bearing the brunt of ransomware attacks, followed by the UK, Germany, Canada and France.
The survey noted the top five most active ransomware threat actors included LockBit, Clop, AlphV, Royal and BianLian.
Extortion and Coercion
Increases in “data only” extortion efforts and increasingly coercive selective public leaks are among the most popular methods threat actors use to maintain profitability and market share as they adapt to an increasingly crowded ransomware-as-a-service (RaaS) ecosystem.
Drew Schmitt, managing security consultant at GuidePoint Security, pointed out that the report’s identification of escalating trends with respect to RaaS groups is especially notable.
“Over time, we have observed ransomware groups evolving based on pressures from law enforcement and organizations defending themselves better,” he said.
As ransomware groups see their revenue declining, they are likely to continue escalating extortion tactics, and that is exactly what is happening, Schmitt said.
Schmitt advised cybersecurity teams to continue to focus their efforts on early detection and response. That reduces the risk of an encounter with one of these ransomware groups that might be especially eager to cause damage to receive a ransom payment.
He noted that the manufacturing industry tends to be targeted because of their use of operational technology (OT) in addition to traditional information technology infrastructure.
“In many cases, legacy operating systems are needed to run manufacturing equipment and maintain their operational capabilities,” he said. “This results in a vulnerable attack surface that is sought-after by many threat actors.”
Additionally, many manufacturing companies are widely distributed geographically, which often leads to greater attack surface exposure. That expanded attack surface results in increased risk of being targeted by ransomware groups.
The Business of Ransomware
Schmitt explained that, ultimately, LockBit’s ability to run as an efficient business is likely the most significant contributor to their continued success.
“They have processes, infrastructure and tools that allow them to be effective from a technology and operations perspective,” he said. “Additionally, their vetting process for their affiliate program is extremely thorough and focused on having proven individuals as part of their program.”
Similarly, their effective use of affiliate rules to control targeting and punish those who target critical infrastructure have kept them from reaching the top of the list for law enforcement action.
As outlined in the quarterly report, there is likely to be additional escalating tactics emerge from RaaS groups if their revenue continues to decline.
“Many of the recent escalating tactics GRIT has observed have been geared toward forcing their victims to pay versus escalating tactics as part of a ‘shock and awe’ campaign to the cybersecurity industry as a whole,” Schmitt said.
He pointed out that eCrime and financially motivated groups in general have continuously evolved their tactics to achieve their monetary goals.
“Moving forward into 2023, I believe we will see a significant evolution in how groups approach extortion,” he said. “Anecdotally, we observed that the organizations that prevented ransomware from being deployed within their environments follow a defense-in-depth strategy.
This approach focuses on using foundational technologies like EDR and pairing that with smart, dedicated cybersecurity professionals to prevent and detect threats in the environment, and to effectively respond when needed.
“If organizations focus on having a solid cybersecurity foundation comprised of industry best practices and a team of great people, those are the organizations that have a great security posture and are far less likely to be impacted by ransomware,” Schmitt said.
